Date: Sun, 2 Aug 2015 12:39:50 -0400 (EDT)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE-2015-1416: vulnerability in patch(1)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD
> fork:
>
> https://svnweb.freebsd.org/base?view=revision&revision=285974
> As for GNU patch, looking in src/inp.c shows it has diverged a lot, but
> I couldn't say if that makes it invulnerable.
Our feeling is that these before-the-fix shell-metacharacter mistakes:
snprintf(buf, sizeof buf, CHECKOUT, filename);
snprintf(lbuf, sizeof lbuf, RCSDIFF, filename);
system(lbuf)
system(buf)
found in
https://raw.githubusercontent.com/bitrig/bitrig/fca5402bc19431b22238f684a78757e989b8b6e7/usr.bin/patch/inp.c
are equivalent to these shell-metacharacter mistakes:
sprintf (buf, elsewhere ? CHECKOUT : CHECKOUT_LOCKED,
dotslash, filename);
sprintf (lbuf, RCSDIFF, dotslash, filename);
system (lbuf)
system (buf)
in
http://git.savannah.gnu.org/cgit/patch.git/snapshot/patch-2.2.tar.gz
(In other words, the same mistakes occurred when providing the same
functionality with the same code structure, and three of the variable
names are identical.)
In
http://git.savannah.gnu.org/cgit/patch.git/snapshot/patch-2.3.tar.gz
is modified code in which the quote_system_arg function (i.e., not
sprintf) is used to add a filename to getbuf and diffbuf, and the
calls to system have been changed to use diffbuf and getbuf. (It is
actually "systemic" rather than "system" but this is largely
irrelevant.) We didn't find a copy of anything in between 2.2 and 2.3.
The quote_system_arg change might have been added in 2.2.5.
In other words, our current understanding is that CVE-2015-1416
applies to the vulnerability identified in all of the previously
mentioned BSD-related code, and also applies to something like "GNU
patch before 2.3" or "GNU patch before 2.2.5." The vulnerability (and
the CVE ID) can, of course, be the same even if the solution approach
is entirely different.
(There is also a somewhat similar issue addressed between 2.5 and
2.5.2/2.5.3, in which some instances of "filename" have a "quotearg
(filename)" replacement. We don't think that the established meaning
of CVE-2015-1416 is associated with those later changes.)
If there is (or ever was) an implementation error in the
quote_system_arg function, then that would have its own CVE ID,
different from CVE-2015-1416. In other words, that error would be
associated with an "incomplete fix for CVE-2015-1416." We have not yet
seen any actual report of this type of an error.
This changelog entry may be of interest:
2010-04-20 Andreas Gruenbacher <agruen@...e.de>
* src/util.c (quote_system_arg): Add a replacement for
quote_system_arg() which uses quotearg's shell quoting style.
In other words, there is a possibility that the 1997 implementation of
quote_system_arg was replaced in 2010 because it was unsafe.
The CVE project hasn't researched (and doesn't plan to research)
whether related types of shell-metacharacter mistakes affected any
version of GNU patch after 2.2.x. We are just clarifying that, for the
specific CVE ID of CVE-2015-1416, the affected GNU patch versions are
defined to be only 2.2.x and earlier.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJVvkZlAAoJEKllVAevmvmsWS0H/i8An70reChmoc47vDWFydnr
VEEg2MfW/W4OusWTyuDcrj/BAUF/9skCohuIFmQTF/yD8i4ogCrmHlXoXk0/dy9h
jUVM3SKSUIrp6iPnAE9EAv6MhYChkb6mNkd2fhxIFRbjH/Eq6MEaR0DlvkNkVGlZ
tmdmNLwOdbL4xJ7cM7VTLPsfcFAId4FSlscKEndn6pFRaN7i37ToYrd51DN92tCq
jVuYdAu1qZ0ZUeI5jKdUz0TEjZEm8j66m+AJFa/wtD3FhCgW88zHo3Wlc2WHbIng
qH3IhlgNN6yyAm9YDusOA6gnY7bBjXOMXY05vHC2OCkWKEdbeUDImuiGYP0Ij4k=
=pjF4
-----END PGP SIGNATURE-----